Unable to download Client Config from OpenVPN Server

[Sufarry]

Forgot 1 thing: if you follow the video linked video and have apps installed in Kubernetes there will be a plethora of errors that show up under Alerts in the GUI. Not to worry as these can just be ignored according to this post.

Thank you.

I was follow that video up until he wanted me to change the final NAT command. The information he wants me to change, I'm not sure how to find. I don't know what he means by "my openVPN interface name". I don't recall naming it, but there's been a lot of things im sure I don't remember while doing this. Not exactly easy for a noob to retain!

 

[Ant385525]

Thank you.

I was follow that video up until he wanted me to change the final NAT command. The information he wants me to change, I'm not sure how to find. I don't know what he means by "my openVPN interface name". I don't recall naming it, but there's been a lot of things im sure I don't remember while doing this. Not exactly easy for a noob to retain!

You most likely didn't name it, it's just 'openvpn-server' by default. In the TrueNAS GUI, go to system settings, then shell and enter 'ip a'. This will show you all the interfaces on your machine, for me openvpn-server is the 5th from the top and what I entered in the command.

 

[Sufarry]

You most likely didn't name it, it's just 'openvpn-server' by default. In the TrueNAS GUI, go to system settings, then shell and enter 'ip a'. This will show you all the interfaces on your machine, for me openvpn-server is the 5th from the top and what I entered in the command.

Thank you for all your help. I was able to locate the name. You were right, it was defaulted to openvpn-server. Unfortunately, I was still not able to get the VPN to work correctly. I am unable to see my network drives still :(. I don't know what else to do, unless I setup the config file wrong. I wish the TrueNas Scale error wasn't happening. I'd love to be able to just use the downloaded one that it creates for me. I see on the GitHub that someone was able to locate the issue in the code and add a new line to bypass this problem. Unfortunely when I try to edit this line, it says that I am not a root user on my own TrueNas server. Not sure if there is a way to enable this now that its already installed, but I feel like I did!

 

[Ant385525]

Thank you for all your help. I was able to locate the name. You were right, it was defaulted to openvpn-server. Unfortunately, I was still not able to get the VPN to work correctly. I am unable to see my network drives still :(. I don't know what else to do, unless I setup the config file wrong. I wish the TrueNas Scale error wasn't happening. I'd love to be able to just use the downloaded one that it creates for me. I see on the GitHub that someone was able to locate the issue in the code and add a new line to bypass this problem. Unfortunely when I try to edit this line, it says that I am not a root user on my own TrueNas server. Not sure if there is a way to enable this now that its already installed, but I feel like I did!

To edit the line you have to put 'sudo' to run commands at root level, but even so I made this change myself and it just leads to another error I mentioned earlier in the thread (link).

If you're able to connect to the VPN I doubt the error is in your config file. Is your OpenVPN Server service running and configured to start automatically? Are you able to ping your TrueNAS machine from Windows when connected? Is your VPN server subnet different from the subnet you're trying to access? Also, this is kind of counterintuitive but the NAT rules override the need for a static route on your machine so if you have one that might be an issue.

Would you mind posting what you put in your OpenVPN Server settings and what you get after running ipconfig in windows command prompt while connected to the VPN (I'm unfamiliar with Windows but make sure to check you're not sharing your public IP or anything sensitive)? It would be much easier to try and help after seeing your config.

Also, this is trivial but I may have misread what you posted earlier and thought you were trying to route all internet traffic through OpenVPN. If you just want remote access to network drives, you can remove the 'push "redirect-gateway def1 bypass-dhcp"' and DNS lines in your server parameters. Of course it depends on your internet connection and hardware, but OpenVPN is relatively slow for internet use.

 

[Sufarry]

To edit the line you have to put 'sudo' to run commands at root level, but even so I made this change myself and it just leads to another error I mentioned earlier in the thread (link).

If you're able to connect to the VPN I doubt the error is in your config file. Is your OpenVPN Server service running and configured to start automatically? Are you able to ping your TrueNAS machine from Windows when connected? Is your VPN server subnet different from the subnet you're trying to access? Also, this is kind of counterintuitive but the NAT rules override the need for a static route on your machine so if you have one that might be an issue.

Would you mind posting what you put in your OpenVPN Server settings and what you get after running ipconfig in windows command prompt while connected to the VPN (I'm unfamiliar with Windows but make sure to check you're not sharing your public IP or anything sensitive)? It would be much easier to try and help after seeing your config.

Also, this is trivial but I may have misread what you posted earlier and thought you were trying to route all internet traffic through OpenVPN. If you just want remote access to network drives, you can remove the 'push "redirect-gateway def1 bypass-dhcp"' and DNS lines in your server parameters. Of course it depends on your internet connection and hardware, but OpenVPN is relatively slow for internet use.

Hey! Sorry for the late response, I've been busy with work. Sorry if I miscommunicated. I just want to be able to access my home network drives from anywhere. I dont want to route all my internet usage through my VPN. I've attached the screenshots you asked for. I am NOT able to ping my truenas server when connected to the VPN. I hope this helps!

 

[Ant385525]

Hey! Sorry for the late response, I've been busy with work. Sorry if I miscommunicated. I just want to be able to access my home network drives from anywhere. I dont want to route all my internet usage through my VPN. I've attached the screenshots you asked for. I am NOT able to ping my truenas server when connected to the VPN. I hope this helps!

View attachment 62333
View attachment 62334 View attachment 62335

No worries at all.
I noticed in the first screenshot the Additional Parameters field is empty, has it always been that way?
That's where lines like push "route 10.0.0.0 255.255.255.0" should go. Sorry if I was unclear about this before.

I don't know the subnet you're trying to connect to, but if your server is on the 10.0.0.0 subnet your additional parameters would just look like this:

push "route 10.0.0.0 255.255.255.0"

 

[Sufarry]

No worries at all.
I noticed in the first screenshot the Additional Parameters field is empty, has it always been that way?
That's where lines like push "route 10.0.0.0 255.255.255.0" should go. Sorry if I was unclear about this before.

I don't know the subnet you're trying to connect to, but if your server is on the 10.0.0.0 subnet your additional parameters would just look like this:

push "route 10.0.0.0 255.255.255.0"

Thanks for the reply. How do I know what subnet I'm using? I'm not familiar with ANYTHING that I'm doing. All I know is I wanted to setup and old PC to run a few network drives that I can access from anywhere lol. I'm shocked I've gotten this far!

 

[Ant385525]

Thanks for the reply. How do I know what subnet I'm using? I'm not familiar with ANYTHING that I'm doing. All I know is I wanted to setup and old PC to run a few network drives that I can access from anywhere lol. I'm shocked I've gotten this far!

If my laptop has the IP 10.0.0.2 and my printer has the IP 10.0.1.10. Just that 1 number makes the whole difference and they are now on different subnets.

I assume (hope) the 10.20.0.0 subnet you entered in the Server Field in the first screenshot is taken from the youtube video I linked because that would make your life pretty easy. All you have to do is find what your TrueNAS ip is and enter that subnet into the push 'route blah blah' command I was talking about in the last post. For example, my TrueNAS machine has the ip 10.0.0.54. This means it's on the 10.0.0.0/24 subnet, so my Additional Parameters field (first screenshot) looks like this:

Code:

push "route 10.0.0.0 255.255.255.0"

And, hoping 10.20.0.0/24 isn't what your local network operates on, you should be good to go as far as that's concerned.

If (and only if) your TrueNAS machine operates on the 10.20.0.0/24 subnet, you have to choose a new VPN server subnet (something like 10.20.1.0/24) and switch that out for wherever 10.20.0.0/24 appears (including in NAT rule 4 you created from the youtube video).
I'll include my own config if it helps, just make sure to take note of your local subnet and VPN server subnet and switch them out where applicable. For reference, my VPN Server is 10.254.0.0/24 and my local subnet is 10.0.0.0/24 (it's safe to post local subnets since you'd have to already be through a firewall and in the network to access them, just not public IP addresses)

For NAT rule 4 in init/shutdown scripts I have:

Code:

nft 'add rule nat postrouting iifname openvpn-server oifname enp4s0 ip saddr 10.254.0.0/24 masquerade'

And please don't be embarrassed by not knowing this stuff! I was in your shoes 2-3 months ago, except I was too stubborn and prideful to post on the forum and ask for help, so I only know this stuff through google and a biblical amount of failure. I'm more than happy to assist you because I know how infuriating it is when going into setting it up blind, but I also know how great of a tool it is once configured.

As a sidenote, SHA1 is considered pretty weak regarding authentication algorithms. I have no reference of just how weak it is, but once you get a working setup I'd recommend going back and changing that just to be sure. I believe all you'd have to change is the 1 line in your client config that correlates.

 

[Ericloewe]

A subnet is essentially every ip address that falls under the same first 3 numbers in the address.

Oh god no, this is going to seriously bite someone in the ass if they come across it and are not on a /24. The above is true if and only if the subnet is a /24, which corresponds to a netmask of 255.255.255.0 (the /24 means that the netmask is 24 ones long, hence three 255 octets -> 11111111.11111111.11111111.00000000 - the part not masked out by ones is your subnet).

 

[Sufarry]

A subnet is essentially every ip address that falls under the same first 3 numbers in the address. For example, if my laptop's IP is 10.0.0.2 and my printer's IP is 10.0.0.10, they are on the same 10.0.0.0/24 (ignore the /24 for now) subnet since '10.0.0' is shared in both IPs. If even 1 of the first 3 numbers is changed they would be on different subnets. E.g. if my laptop has the IP 10.0.0.2 and my printer has the IP 10.0.1.10. Just that 1 number makes the whole difference and they are now on different subnets.

Devices can only access other IP addresses on their subnet, so normal homes will just have devices on 1 subnet and never have to worry about it.

I assume (hope) the 10.20.0.0 subnet you entered in the Server Field in the first screenshot is taken from the youtube video I linked because that would make your life pretty easy. All you have to do is find what your TrueNAS ip is and enter that subnet into the push 'route blah blah' command I was talking about in the last post. For example, my TrueNAS machine has the ip 10.0.0.54. This means it's on the 10.0.0.0/24 subnet, so my Additional Parameters field (first screenshot) looks like this:

Code:

push "route 10.0.0.0 255.255.255.0"

And, hoping 10.20.0.0/24 isn't what your local network operates on, you should be good to go as far as that's concerned.

If (and only if) your TrueNAS machine operates on the 10.20.0.0/24 subnet, you have to choose a new VPN server subnet (something like 10.20.1.0/24) and switch that out for wherever 10.20.0.0/24 appears (including in NAT rule 4 you created from the youtube video).
I'll include my own config if it helps, just make sure to take note of your local subnet and VPN server subnet and switch them out where applicable. For reference, my VPN Server is 10.254.0.0/24 and my local subnet is 10.0.0.0/24 (it's safe to post local subnets since you'd have to already be through a firewall and in the network to access them, just not public IP addresses)

For NAT rule 4 in init/shutdown scripts I have:

Code:

nft 'add rule nat postrouting iifname openvpn-server oifname enp4s0 ip saddr 10.254.0.0/24 masquerade'

View attachment 62345

And please don't be embarrassed by not knowing this stuff! I was in your shoes 2-3 months ago, except I was too stubborn and prideful to post on the forum and ask for help, so I only know this stuff through google and a biblical amount of failure. I'm more than happy to assist you because I know how infuriating it is when going into setting it up blind, but I also know how great of a tool it is once configured.

As a sidenote, SHA1 is considered pretty weak regarding authentication algorithms. I have no reference of just how weak it is, but once you get a working setup I'd recommend going back and changing that just to be sure. I believe all you'd have to change is the 1 line in your client config that correlate

A subnet is essentially every ip address that falls under the same first 3 numbers in the address. For example, if my laptop's IP is 10.0.0.2 and my printer's IP is 10.0.0.10, they are on the same 10.0.0.0/24 (ignore the /24 for now) subnet since '10.0.0' is shared in both IPs. If even 1 of the first 3 numbers is changed they would be on different subnets. E.g. if my laptop has the IP 10.0.0.2 and my printer has the IP 10.0.1.10. Just that 1 number makes the whole difference and they are now on different subnets.

Devices can only access other IP addresses on their subnet, so normal homes will just have devices on 1 subnet and never have to worry about it.

I assume (hope) the 10.20.0.0 subnet you entered in the Server Field in the first screenshot is taken from the youtube video I linked because that would make your life pretty easy. All you have to do is find what your TrueNAS ip is and enter that subnet into the push 'route blah blah' command I was talking about in the last post. For example, my TrueNAS machine has the ip 10.0.0.54. This means it's on the 10.0.0.0/24 subnet, so my Additional Parameters field (first screenshot) looks like this:

Code:

push "route 10.0.0.0 255.255.255.0"

And, hoping 10.20.0.0/24 isn't what your local network operates on, you should be good to go as far as that's concerned.

If (and only if) your TrueNAS machine operates on the 10.20.0.0/24 subnet, you have to choose a new VPN server subnet (something like 10.20.1.0/24) and switch that out for wherever 10.20.0.0/24 appears (including in NAT rule 4 you created from the youtube video).
I'll include my own config if it helps, just make sure to take note of your local subnet and VPN server subnet and switch them out where applicable. For reference, my VPN Server is 10.254.0.0/24 and my local subnet is 10.0.0.0/24 (it's safe to post local subnets since you'd have to already be through a firewall and in the network to access them, just not public IP addresses)

For NAT rule 4 in init/shutdown scripts I have:

Code:

nft 'add rule nat postrouting iifname openvpn-server oifname enp4s0 ip saddr 10.254.0.0/24 masquerade'

View attachment 62345

And please don't be embarrassed by not knowing this stuff! I was in your shoes 2-3 months ago, except I was too stubborn and prideful to post on the forum and ask for help, so I only know this stuff through google and a biblical amount of failure. I'm more than happy to assist you because I know how infuriating it is when going into setting it up blind, but I also know how great of a tool it is once configured.

As a sidenote, SHA1 is considered pretty weak regarding authentication algorithms. I have no reference of just how weak it is, but once you get a working setup I'd recommend going back and changing that just to be sure. I believe all you'd have to change is the 1 line in your client config that correlates.

Thank you for the load of information! Unfortunately I'm still super confused. My truenas IP is 192.168.1.15 ( this is the IP I use in the browser to connect to my server UI) - so what would my subnet be? Also what do I put in the "Server" box? Also I use TCP instead of UDP, I imagine it doesn't matter? I'm not using the NAT rules anymore since I didn't want to funnel all my traffic through the VPN. I just want to be able to access my local network SMB and login to my TRUENAS server from anywhere.

 

[Ant385525]

Oh god no, this is going to seriously bite someone in the ass if they come across it and are not on a /24. The above is true if and only if the subnet is a /24, which corresponds to a netmask of 255.255.255.0 (the /24 means that the netmask is 24 ones long, hence three 255 octets -> 11111111.11111111.11111111.00000000 - the part not masked out by ones is your subnet).

Gladly edited to take that part out, let me know if I completely butchered every other part. Sorry about that, told you I had no idea what I was doing either lol

 

[Ant385525]

Thank you for the load of information! Unfortunately I'm still super confused. My truenas IP is 192.168.1.15 ( this is the IP I use in the browser to connect to my server UI) - so what would my subnet be? Also what do I put in the "Server" box? Also I use TCP instead of UDP, I imagine it doesn't matter? I'm not using the NAT rules anymore since I didn't want to funnel all my traffic through the VPN. I just want to be able to access my local network SMB and login to my TRUENAS server from anywhere.

Ok, so since your TrueNAS IP is 192.168.1.15, the subnet it operates on is '192.168.1.0'. So your additional parameters should have

Code:

push 'route 192.168.1.0 255.255.255.0'

. You can keep your 'Server' field the same. The VPN just has to operate on a different subnet and 10.20.0.0 is different so you're fine there. You do need to put the NAT rules back though. From my understanding, they enable a firewall on TrueNAS that allows your device to access your 192.168.1.0 subnet. I would go back and copy the first 3 from the description of that youtube video, and your fourth one would be the same as what I posted in my previous comment (switching out 10.254.0.0/24 for 10.20.0.0/24). They won't funnel all your traffic through the VPN, don't worry.

You can use TCP or UDP, but UDP is faster. You can access all files in the same way no matter whether you're using TCP or UDP. On the screenshot you posted earlier you did have UDP selected, however. So if you would like to change to TCP just remember to change the 'proto' line in your client config as well.

 

[Sufarry]

Ok, so since your TrueNAS IP is 192.168.1.15, the subnet it operates on is '192.168.1.0'. So your additional parameters should have

Code:

push 'route 192.168.1.0 155.255.255.0'

. You can keep your 'Server' field the same. The VPN just has to operate on a different subnet and 10.20.0.0 is different so you're fine there. You do need to put the NAT rules back though. From my understanding, they enable a firewall on TrueNAS that allows your device to access your 192.168.1.0 subnet. I would go back and copy the first 3 from the description of that youtube video, and your fourth one would be the same as what I posted in my previous comment (switching out 10.254.0.0/24 for 10.20.0.0/24). They won't funnel all your traffic through the VPN, don't worry.

You can use TCP or UDP, but UDP is faster. You can access all files in the same way no matter whether you're using TCP or UDP. On the screenshot you posted earlier you did have UDP selected, however. So if you would like to change to TCP just remember to change the 'proto' line in your client config as well.

That works! Good news is I'm able to get openVPN to connect when I'm using my hotspot to simulate being "out of network". Bad news is I still can't connect to my drives or use the browser to navigate to my Truenas UI. Why would I be able to successfully connect to my VPN but not be able to use my SMB share or my Truenas UI?

 

[Ant385525]

That works! Good news is I'm able to get openVPN to connect when I'm using my hotspot to simulate being "out of network". Bad news is I still can't connect to my drives or use the browser to navigate to my Truenas UI. Why would I be able to successfully connect to my VPN but not be able to use my SMB share or my Truenas UI?

Well, first off I made a typo. The line in additional parameters is supposed to be

Code:

push 'route 192.168.1.0 255.255.255.0'

So try that.

If that doesn't work, go to the network tab in the TrueNAS GUI and see what your interface name is. The default is enp4s0, but if yours is different you need to change just that part of your NAT rule 4 line. (just enp4s0 to whatever your default name is)

 

[Sufarry]

Well, first off I made a typo. The line in additional parameters is supposed to be

Code:

push 'route 192.168.1.0 255.255.255.0'

So try that.

If that doesn't work, go to the network tab in the TrueNAS GUI and see what your interface name is. The default is enp4s0, but if yours is different you need to change just that part of your NAT rule 4 line. (just enp4s0 to whatever your default name is)

HOLY SH**! This worked! your typo set me up for failure LOL. I appreciate all of your help so freaking much. I finally am able to access my NAS and my drives via my phones hotspot. This is great! Thank you!

 

[Ant385525]

HOLY SH**! This worked! your typo set me up for failure LOL. I appreciate all of your help so freaking much. I finally am able to access my NAS and my drives via my phones hotspot. This is great! Thank you!

Well that's a fitting ending lmao. No problem, glad I could help!!

 

[Sufarry]

Well that's a fitting ending lmao. No problem, glad I could help!!

Thank you so much! This has been days worth of work for me lol. I'm thinking I'm slowly understanding some of it. My last and final question to you is this. I left my NAS on all night ( first time since setup ) and when I came home, it had a new IP address. It was 192.168.1.27 last night but today it was 192.168.1.15. Why would it change? When it changed I had to manually update my port forwarding and a few other things. Is there a way to make sure that doesn't happen?

 

[Ant385525]

Thank you so much! This has been days worth of work for me lol. I'm thinking I'm slowly understanding some of it. My last and final question to you is this. I left my NAS on all night ( first time since setup ) and when I came home, it had a new IP address. It was 192.168.1.27 last night but today it was 192.168.1.15. Why would it change? When it changed I had to manually update my port forwarding and a few other things. Is there a way to make sure that doesn't happen?

Again, the info I'm giving could be wrong, and hopefully someone else with more knowledge chimes in if so, but I believe what you're dealing with is called a DHCP server. It automatically gives devices open IP addresses, which is great for most devices. To fix this you can go into the TrueNAS GUI, then to the network tab, then click on your interface (enp4s0). Uncheck DHCP if it's checked then it'll have an aliases field where you can put whatever address you'd like to keep it on. (e.g. 192.168.1.15/24) There will be a popup that makes you test changes, then if it works there will be a save button.

IDK if this is strictly necessary but you can also create an IP reservation on your router. The instructions vary per router but a google search with your router name and IP reservation should give you instructions. I would assume with port forwarding this would already be enabled so you might just have to do the TrueNAS bit.

 

[Sufarry]

Again, the info I'm giving could be wrong, and hopefully someone else with more knowledge chimes in if so, but I believe what you're dealing with is called a DHCP server. It automatically gives devices open IP addresses, which is great for most devices. To fix this you can go into the TrueNAS GUI, then to the network tab, then click on your interface (enp4s0). Uncheck DHCP if it's checked then it'll have an aliases field where you can put whatever address you'd like to keep it on. (e.g. 192.168.1.15/24) There will be a popup that makes you test changes, then if it works there will be a save button.

IDK if this is strictly necessary but you can also create an IP reservation on your router. The instructions vary per router but a google search with your router name and IP reservation should give you instructions. I would assume with port forwarding this would already be enabled so you might just have to do the TrueNAS bit.

Thank you! I found a way to reserve an IP through my router. Thank you for your help. I'm almost going to miss your replies lol. So much knowledge you have for only being in it for a few months!

 

[Ant385525]

Thank you! I found a way to reserve an IP through my router. Thank you for your help. I'm almost going to miss your replies lol. So much knowledge you have for only being in it for a few months!

You're welcome!! And it pays to be a college student on break I guess LOL